CVE-2025-24654
Published: 03 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24654 is a Missing Authorization vulnerability (CWE-862) in the Squirrly SEO WordPress plugin by Squirrly SEO. The issue affects all versions of the plugin from n/a through 12.4.07, allowing unauthorized access to certain functionalities due to insufficient permission checks.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), the vulnerability can be exploited by low-privileged users, such as contributors or authors on a WordPress site. Attackers can remotely trigger the issue with low complexity and no user interaction required, potentially leading to limited disclosure of sensitive information alongside high-impact modifications to site data or configurations.
Patchstack advisories detail the vulnerability and recommend updating to a patched version of the Squirrly SEO plugin beyond 12.4.07. Further mitigation guidance is available at https://patchstack.com/database/Wordpress/Plugin/squirrly-seo/vulnerability/wordpress-squirrly-seo-plugin-12-4-05-broken-access-control-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin allows low-privileged authenticated users to access functionalities and perform high-impact modifications, directly enabling exploitation of the public-facing application (T1190) and privilege escalation via software vulnerability (T1068).